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Detailed Action 



1 . This action is responsive to communication: original application filed 
31 July 2000. 

2. Claims 1-26 are currently pending in this application. Claims 1,12, and 22 are 
independent claims. 



3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1 ) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 



of such treaty in the English language 
4. Claims 1-5, 7, 9, and 11-17 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Alonso et al. U.S. Patent No. 6,434,700 (hereinafter 700). 

As to independent claim 1, ''A computer network comprising a plurality of 
interconnected network devices including: (a) a plurality of client computers; (b) 
an authentication server computer operated by a system administrator; and (c) a 
disk drive connected to the authentication server computer, the disk drive 
comprising: an interface for receiving personal authentication data and user 
access data from the system administrator; a disk for storing data; a disk 
controller for controlling access to the disk; an authenticator, responsive to the 
personal authentication data, for enabling the disk controller;" is taught in 700 
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col. 5, line 64 - col. 6, line 29 "the network access server sends the user access 
information to a centralized server, such as an Access Control Server ("ACS"). The 
ACS provides a central point of control for the management of multiple security 
services, and network devices ... The ACS allows system administrators to use a 
variety of authentication mechanisms with varying degrees of authorization privileges." 

"cryptographic circuitry for encrypting the user access data received from 
the system administrator into encrypted data stored on the disk" is shown in 700 
col. 2, lines 6-7 and col. 6, lines 16-19 "Generally, a Fortezza security system includes 
a Fortezza Crypto card that stores unique encrypted information, and which executes 
encryption algorithms to produce a scrambled one-time password ("OTP"). The card is 
a self-contained hardware system" and "The ACS integrates and supports various 
authentication and authorization technologies, including token cards, and Fortezza 
security systems". 

As to dependent claim 2, "wherein the user access data comprises a 
plurality of user identifiers and corresponding access rights to the plurality of 
network devices" is disclosed in 700 col. 6, lines 16-29 "The ACS determines who 
may access the network, what services they are authorized to use, and to whom the 
services are to be charged and for how much". 

As to dependent claim 3, "The computer network as recited in claim 2, 
wherein the user access data further comprises user authentication data" is 
shown in 700 col. 6, lines 16-29 "Thus, the ACS provides Authorization, Authentication, 
and Accounting ("AAA") functions for a managed network". 
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As to dependent claim 4, "The computer network as recited in claim 3, 
wherein the user authentication data comprises a user password" is taught in 
700 col. 1, lines 6-10 "The present invention generally relates to management of 
computer networks, and relates more specifically to network access control 
mechanisms that authenticate and authorize users of passwords generated by the 
Fortezza cryptographic protocol". 

As to dependent claim 5, this claim contains texts that contain substantially 
similar limitations as cited in claim 4 and are rejected along the same rationale. 

As to dependent claim 7, "The computer network as recited in claim 2, 
wherein: (a) the disk stores encrypted device access data associated with the 
network devices; and (b) the device access data for use in authenticating device 
access requests transmitted from client computers to the network devices" is 
taught in 700 col. 6 line 62 - col. 7 line 7 "the network access server sends the user 
access information to a centralized server, such as an Access Control Server ("ACS"). 
The ACS provides a central point of control for the management of multiple security 
services, and network devices". 

As to dependent claim 9, "The computer network as recited in claim 7, 
wherein: (a) the interface receives unencrypted device access data; and (b) the 
cryptographic circuitry encrypts the unencrypted device access data into the 
encrypted device access data stored on the disk" is disclosed in 700 col. 9, 
lines 1-9 "send user access information to the network access server 104. The user 
access information typically contains a username and password. The password can 
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be a fixed password or an OTP type password obtained through the use of a Smart 
card or Token card, depending on the level of authentication. The password type can 
also be a Fortezza password which is a unique hash value produced by a Fortezza 
Crypto card 107a and Fortezza card reader". 

As to dependent claim 11, "The computer network as recited in claim 7, 
wherein the encrypted device access data is transmitted from the network 
devices to the disk drive" is taught in 700 col. 9, lines 9-19 "the network access 
server 104 receives user access information from client 102 ... Hence, at block 304, the 
network access server 104 passes the user access information to the Access Control 
Server 202. The network access server 104 controls modems and ports that are used 
to connect to network 108, but does not examine the type of password contained in the 
user access information. It simply fonA/ards the user access information to the Access 
Control Server 202 which is a point of centralized control of network access and the 
provision security services". 

As to independent claim 12, "A computer network comprising a plurality of 
interconnected network devices including: (a) a plurality of client computers; (b) 
an authentication server computer; and (c) a disk drive connected to the 
authentication server computer, the disk drive comprising: an interface for 
receiving from a client computer a user ID and a user access request to access a 
network device, and for transmitting device access data to the client computer" 
and "wherein the disk controller uses the decrypted data to generate the device 
access data transmitted to the client computer" is taught in 700 col. 5, line 64 - col. 
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6, line 29 "the network access server sends the user access information to a centralized 
server, such as an Access Control Server ("ACS")" 

"a disk for storing encrypted data, a disk controller, responsive to the user 
ID and user access request, for controlling access to the disk; and cryptographic 
circuitry for decrypting the encrypted data stored on the disk to generate 
decrypted data" is shown in 700 col. 2, lines 6-7 and col. 6, lines 16-19 "Generally, a 
Fortezza security system includes a Fortezza Crypto card that stores unique encrypted 
information, and which executes encryption algorithms to produce a scrambled one-time 
password ("OTP"). The card is a self-contained hardware system" 

As to dependent claim 13, "The computer network as recited in claim 12, 
wherein: (a) the encrypted data comprises encrypted user authentication data 
corresponding to the user ID; and (b) the cryptographic circuitry decrypts the 
encrypted user authentication data to generate decrypted user authentication 
data" is shown in 700 col. 2, lines 6-7 and col. 6, lines 16-19 "Generally, a Fortezza 
security system includes a Fortezza Crypto card that stores unique encrypted 
information, and which executes encryption algorithms to produce a scrambled one- 
time password ("OTP"). The card is a self-contained hardware system" and "The ACS 
integrates and supports various authentication and authorization technologies, 
including token cards, and Fortezza security systems". 

As to dependent claim 14, "The computer network as recited in claim 13, 
wherein the decrypted user authentication data comprises a user password" is 
taught in 700 col. 1, lines 6-10 "The present invention generally relates to 
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management of computer networks, and relates more specifically to network access 
control mechanisms that authenticate and authorize users of passwords generated by 
the Fortezza cryptographic protocol". 

As to dependent claim 15, The computer network as recited in claim 12, 
wherein the cryptographic circuitry encrypts the device access data before 
transmission to the client computer" is shown in 700 col. 9, lines 9-19 "the network 
access server 104 receives user access information from client 102". 

As to dependent claim 16, "The computer network as recited in claim 13, 
wherein:(a) the cryptographic circuitry encrypts the device access data before 
transmission to the client computer; and (b) the cryptographic circuitry encrypts 
the device access data using a cryptographic user key extracted from the 
decrypted user authentication data" is taught in 700 col. 5, line 64 - col. 6, line 29 
"the network access server sends the user access information to a centralized server, 
such as an Access Control Server ("ACS"). The ACS provides a central point of control 
for the management of multiple security services, and network devices 

As to dependent claim 17, "The computer network as recited in claim 16, 
wherein the cryptographic user key is generated by the cryptographic circuitry 
using the decrypted user authentication data" is shown in 700 col. 2, lines 6-7 
"Generally, a Fortezza security system includes a Fortezza Crypto card that stores 
unique encrypted information, and which executes encryption algorithms to produce a 
scrambled one-time password ("OTP"). The card is a self-contained hardware system" 
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Claim Rejections - 35 USC § 103 



5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains, n 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claims 6, 8, 10, and 18-21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over 700 as applied to claims 1 and 12 in further view of DeTreville U.S. 
Patent No. 6,609,199 (hereinafter '199). 

As to dependent claim 6, the following in not taught in 700: "The computer 
network as recited in claim 1, wherein: (a) the cryptographic circuitry comprises 
an immutable secret drive key configured during manufacture of the disk drive; 
and (b) the secret drive key for use in encrypting the user access data" however 
*199 teaches "Computers 102 and 104 include access ports 112 and 1 14, respectively. 
Access ports 112 and 114 allow a portable integrated circuit (IC) device, such as 
device 1 16, to be communicably coupled to computers 102 and 104 (e.g., device 116 
may be inserted into ports 112 and 114). This coupling can be accomplished in any of 
a variety of conventional manners" and "The CPU manufacturer equips the CPU 134 
with a pair of public and private keys 1 50 that is unique to the CPU. For discussion 
purposes, the CPU's public key is referred to as "K.sub.CPU " and the corresponding 
private key is referred to as "K.sub.CPU. sup. -1 ". Other physical implementations may 
include storing the key on an external device to which the main CPU has privileged 
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access (where the stored secrets are inaccessible to arbitrary application or operating 

system code)" in col. 4 lines 7-9 and col. 5 lines 54-60. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify an authorization access server taught in 700 to include a secret 
device key. One of ordinary skill in the art would have been motivated to perform such 
a modification because secret device key put in place by a manufacturer is well known 
in the art to maintain security see '199 (col. 2, lines 27 et seq.) "The invention addresses 
these disadvantages, providing an improved way to maintain the security of private 
information on a portable IC device". 

As to dependent claim 8, "The computer network as recited in claim 7, 
wherein the encrypted device access data comprises an encrypted secret device 
key shared with a corresponding network device" is taught in '199 col. 5 lines 54-60 
"The CPU manufacturer equips the CPU 134 with a pair of public and private keys 150 
that is unique to the CPU. For discussion purposes, the CPU's public key is referred to 
as "K.sub.CPU.sup-1". Other physical implementations may include storing the key on 
an external device to which the main CPU has privileged access (where the stored 
secrets are inaccessible to arbitrary application or operating system code)" 

As to dependent claim 10, "The computer network as recited in claim 7, 
wherein the encrypted device access data is stored on the disk during 
manufacture of the disk drive" is taught in '199 col. 5 lines 54-60 "The CPU 
manufacturer equips the CPU 134 with a pair of public and private keys 150 that is 
unique to the CPU. For discussion purposes, the CPU's public key is referred to as 
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"K.sub.CPU.sup-1". Other physical implementations may include storing the key on an 
external device to which the main CPU has privileged access (where the stored secrets 
are inaccessible to arbitrary application or operating system code)". 

As to dependent claim 18, 'The computer network as recited in claim 16, 
wherein the cryptographic user key is a public key for use in a public key 
encryption algorithm" is shown in '199 col. 5 lines 54-60 "The CPU manufacturer 
equips the CPU 134 with a pair of public and private keys 150 that is unique to the 
CPU". 

As to dependent claim 19, "The computer network as recited in claim 12, 
wherein: (a) the cryptographic circuitry encrypts the device access data using a 
secret device key shared with the network device; and (b) the secret device key is 
used by the network device to authenticate device access requests received from 
client computers" is shown in '199 col. 5 lines 54-60 "The CPU manufacturer equips 
the CPU 134 with a pair of public and private keys 150 that is unique to the CPU". 

As to dependent claim 20, 'The computer network as recited in claim 19, 
wherein the secret device key shared with the network device is stored in 
encrypted form on the disk and decrypted by the cryptography circuitry, is shown 
in 700 col. 2, lines 6-7 and col. 6, lines 16-19 "Generally, a Fortezza security system 
includes a Fortezza Crypto card that stores unique encrypted information, and which 
executes encryption algorithms to produce a scrambled one-time password ("OTP"). 
The card is a self-contained hardware system" and "The ACS integrates and supports 
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various authentication and authorization technologies, including token cards, and 

Fortezza security systems". 

As to dependent claim 21, "The computer network as recited in claim 12, 
wherein: (c) the cryptographic circuitry comprises an immutable secret drive key 
configured during manufacture of the disk drive; and (d) the secret drive key for 
use in decrypting the encrypted data stored on the disk" is shown in '199 col. 5 
lines 54-60 "The CPU manufacturer equips the CPU 134 with a pair of public and 
private keys 150 that is unique to the CPU. For discussion purposes, the CPU's public 
key is referred to as "K.sub.CPU " and the corresponding private key is referred to as 
"K.sub.CPU.sup.-l". Other physical implementations may include storing the key on an 
external device to which the main CPU has privileged access (where the stored secrets 
are inaccessible" to arbitrary application or operating system code)". 
7. Claims 22-26 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
700 in further view of '199. 

As to independent claim 22, "A computer network comprising a plurality of 
interconnected network devices including: (a) a plurality of client computers; (b) 
an authentication server; and (c) a disk drive comprising: an interface for 
receiving an encrypted device access request and for inputting/outputting user 
data from/to a client computer; a disk for storing data; a disk controller for 
controlling access to the disk; an internal drive key;" and "an authenticator, 
responsive to the decrypted secret device key, for authenticating the device 
access request " is taught in 700 col. 5, line 64 - col. 6, line 29 "the network access 
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server sends the user access information to a centralized server, such as an Access 
Control Sen/er ("ACS"). The ACS provides a central point of control for the 
management of multiple security services, and network devices" the following is not 
taught in 700: 

"a secret device key shared with the authentication server, the secret 
device key stored in encrypted form; cryptographic circuitry, responsive to the 
internal drive key, for decrypting the encrypted secret device key to generate a 
decrypted secret device key" however '199 teaches "Computers 102 and 104 
include access ports 112 and 1 14, respectively. Access ports 112 and 114 allow a 
portable integrated circuit (IC) device, such as device 1 16, to be communicably 
coupled to computers 102 and 104 (e.g., device 116 may be inserted into ports 112 
and 114). This coupling can be accomplished in any of a variety of conventional 
manners" and "The CPU manufacturer equips the CPU 134 with a pair of public and 
private keys 150 that is unique to the CPU. For discussion purposes, the CPU's public 
key is referred to as "K.sub.CPU " and the corresponding private key is referred to as 
"K.sub.CPU.sup.-l ". Other physical implementations may include stonng the key on 
an external device to which the main CPU has privileged access (where the stored 
secrets are inaccessible to arbitrary application or operating system code)" in col. 4 
lines 7-9 and col. 5 lines 54-60. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify an authorization access server taught in 700 to include a secret 
device key. One of ordinary skill in the art would have been motivated to perform such 
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a modification because secret device key put in place by a manufacturer is well known 
in the art to maintain security see '199 (col. 2, lines 27 et seq.) "The invention addresses 
these disadvantages, providing an improved way to maintain the security of private 
information on a portable IC device". 

As to dependent claim 23, "The computer network as recited in claim 22, 
wherein the encrypted secret device key stored on the disk" is taught in '199 col. 5 
lines 54-60 "The CPU manufacturer equips the CPU 1 34 with a pair of public and 
private keys 150 that is unique to the CPU, For discussion purposes, the CPU's public 
key is referred to as "K.sub.CPU " and the corresponding private key is referred to as 
"K.sub.CPU.sup.-1 Other physical implementations may include storing the key on an 
external device to which the main CPU has privileged access (where the stored secrets 
are inaccessible to arbitrary application or operating system code)" 

As to dependent claim 24, "The computer network as recited in claim 22, 
wherein the encrypted secret device key is configured during manufacture of the 
disk drive" is shown in '199 col. 5 lines 54-60 "The CPU manufacturer equips the CPU 
134 with a pair of public and private keys 150 that is unique to the CPU. 

As to dependent claim 25, "The computer network as recited in claim 22, 
wherein the disk drive transmits the encrypted secret device key to the 
authentication server" is taught in '700 col. 9, lines 9-19 "the network access server 
104 receives user access information from client 102. In system 200, the 
communications function of accessing the network, and the structure that supports this 
function, are separated from the security functions". 
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As to dependent claim 26, "The computer network as recited in claim 22, 
wherein the internal drive key comprises tamper-resistant circuitry" is taught in 
'199 col. 6, lines 62-64 "Alternatively, the CPU 134 can store the boot log 158 in 
volatile memory 138 in a cryptographic tamper-resistant container". 

Conclusion 

8. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Naclerio U.S. Patent No. 5,687,237 issued dated: Nov. 11, 1997 
Stoltz et al. U.S. Patent No. 6,615,264 issued dated: Sep. 2, 2003 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ellen C Tran whose telephone number is 

(703) 305-8917. The examiner can normally be reached on 6:30 am to 3:30 pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory A Morse can be reached on (703) 308-4789. The fax phone 
number for the organization where this application or proceeding is assigned is 703- 
872-9306. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 306- 
5484. 



Ellen. Tran 
Patent Examiner 
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